Our sponsor SchoolPro TLC provides a briefing on recent updates from the Information Commissioner’s Office (ICO) with valuable new guidance into the use of biometric data by organisations, including Multi Academy Trusts (MATs) and Schools. The guidance is relevant for leaders within educational institutions, as it outlines the legal and ethical responsibilities involved and helps you to navigate compliance with Data Protection laws, and provides best practices for implementing biometric technologies in a way that safeguards students and staff members personal information. What is Biometric Data? Biometric data is a type of personal information. Article 4(14) of the UK GDPR defines biometric data as: “Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm someone’s unique identification of that natural person, such as facial images or fingerprint data.” This means that personal information is only biometric data if it:
Who Can Consent to Biometric Data Consent for biometric data needs to be treated differently than other consents and has specific, stringent criteria. The Data Protection Act gives pupils rights over their own data when they are considered to have adequate capacity to understand. Most pupils will reach this level of understanding at around age 13. However, the Protection of Freedoms Act 2012, which governs the use of biometric data in schools in the UK, has different requirements. Under this Act, the consent of at least one parent is required to process the biometric data of a child under 18. If the child or any parent objects, the school cannot process the child's biometric data. Schools must notify each parent of a pupil or student under the age of 18 if they wish to take and subsequently use the child’s biometric data as part of an automated biometric recognition system. As long as the child or a parent does not object, the written consent of only one parent will be required for a school or college to process the child’s biometric information. A child does not have to object in writing but a parent’s objection must be written. Third Party Contractors
Guidance from the ICO
What does this mean for MAT’s and Schools? The decision to implement automated biometric technology is the decision of MATs and schools. However, careful consideration should be taken to assess the purpose of its use, the necessity and proportionality of processing, and consider the potential implications, such as operational requirements, handling of personal information, possible data breaches, and legal obligations. It is also important for schools to reflect on the ethical considerations around the use of biometric data, including privacy concerns and the potential for future misuse of such data, even when collected in a lawful manner. Schools should consider whether biometric data is truly necessary and proportional for the task at hand. Here are some key actions for schools considering or already using biometric data: 1. Conduct a Data Protection Impact Assessment (DPIA) Before implementing any biometric system, schools should carry out a DPIA to assess risks and determine whether biometric data processing is necessary and proportionate. This should be reviewed regularly to account for any changes in technology or usage. 2. Obtain Proper Consent Ensure written parental consent is obtained in compliance with the Protection of Freedoms Act 2012. Schools should also have a clear, documented process for managing consent withdrawals or objections from either the student or their parents. 3. Be Transparent with Parents and Students Provide clear, accessible information explaining how biometric data will be used, stored, and protected. Schools should offer regular opportunities for parents and students to ask questions or raise concerns. 4. Implement Robust Security Measures Ensure that any biometric data collected is stored securely, with encryption and access controls in place to prevent unauthorised access. Schools should also regularly review their security practices to ensure they remain adequate in light of evolving risks. 5. Choose Vendors Carefully When selecting a third-party contractor, schools must perform due diligence to ensure that the vendor complies with UK GDPR and has strong Data Protection measures in place. A contract should clearly outline Data Protection responsibilities and require the vendor to carry out DPIAs. 6. Regularly Audit Data Practices Conduct regular audits of how biometric data is processed, ensuring that all practices remain compliant with relevant legislation. This includes reviewing how data is stored, who has access to it, and how consent is managed. 7. Prepare for Data Breaches Develop a clear plan for managing data breaches involving biometric data, including informing affected students, parents, and the ICO if necessary. Ensure that all staff members are aware of the procedure for reporting a breach. By incorporating these steps, schools can ensure they not only comply with legal requirements but also protect the privacy and rights of their students. For more detailed information, including lawful basis considerations and best practices, please read full guidance provided by the ICO. By Soton Soleye, SchoolPro TLC SchoolPro TLC Ltd (2024)
SchoolPro TLC guidance does not constitute legal advice. SchoolPro TLC is not responsible for the content of external websites.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
SWIFT News
|
SPONSORED BY
Join us, be a part of our SWIFT community |
© COPYRIGHT 2022 SOUTH WEST INSTITUTE FOR TEACHING SWIFT. ALL RIGHTS RESERVED | Website by brightblueC
VIEW OUR PRIVACY NOTICES | VIEW OUR COURSE T&CS
VIEW OUR PRIVACY NOTICES | VIEW OUR COURSE T&CS